Someone Hack My Firebase & Deleted all data

you have your rules like this? and you can write and read?

{
“rules” : {
“.read” : “auth != null”,
“.write” : “auth != null”
}
}

Yes, I can read and write with my rules set up like that.

can you share how did you get it please? i don’t understand why i can’t

i succesfully login, but when i want to get the tag list, it doesn’t show unless i put the rules to true

image

I don’t use Firebase Authentication.

So, how do you do it?

Firebase auth and database are two different things :slight_smile:

1 Like

I know, but if you want a private database, you need to authenticate

==I think I know the reason. In fact, it is not that someone deleted it, but the wrong code logic in your application. For example, you let users get the data, but at the same time other users can also get the data, and all users can also The data is deleted, then when the data has been deleted by one of the users, and the other user also deletes the label, the data no longer exists in the database. Therefore, all data is deleted. I have encountered this The problem has been several times, and I still don’t know how to use firebase. Recently, I have been studying firebase and at the same time I did this action. All data was deleted immediately.

@kentleow1496 your are 2 years late to answer :sweat_smile:

4 Likes

Yes, because I happened to be searching for ways to prevent the application from deleting all the data when there is an error, and I saw the reason by the way, so that when someone like me is looking for an answer in the future, there will be no whereabouts, because I It is uncomfortable to understand that when a person wants to do something serious without help, it is hard to get help, so I don’t want someone to be like me

2 Likes

You may have set database rules to “Test Mode” which allows anyone to read or write data without Token.

Yes. It’s important to remember about security. It’s easy to ignore, but don’t! When you put API keys and other stuff in your app, it’s important to remember that even obfuscated data can be found. That’s why server-side security is so important. Don’t expect that protection within your app alone will ward off hackers. As someone who’s done ethical hacking before (I used to get requests from sites to hack them and report any security vulnerabilities, super cool side hustle), I get extremely nervous every time someone says that obfuscation is a good method, or that their app is well-protected without server-side security.

So, could you share a good form to secure them? :pray:t3:

1 Like

What do you mean? If you mean a method, Firebase’s built-in security rules are a method. I’ll link to some useful resources about them here.

Getting started guide:
https://firebase.google.com/docs/firestore/security/get-started

Syntax and structure:
https://firebase.google.com/docs/firestore/security/rules-structure

Writing conditions (like allowing access only when user is signed in):
https://firebase.google.com/docs/firestore/security/rules-conditions

There’s also more on their official documentation website.
Remember, when things are only secured on the client side, anyone could reverse-engineer it and do something bad. While there are many people who will report these vulnerabilities (like me, an ethical hacker who lets people know about security holes), there are people who will use it against you, like you showed.
Server-side security is very important, and I suggest that you read through these linked documents a bit to get an idea of how it works in Firebase (and how to implement it).

1 Like

This. There is a lot of app inventor apps with horrible firebase security (allow writing for everyone). But it’s not just the creators fault, most tutorials show it this way.
The lazy man’s solution would be not to include your firebase properties in the component itself, but set it with set blocks when the app starts using obfuscated strings.

This is still far from 100% secure but makes reverse engineering a bit harder.

In my case I used Ofbuscated text but still hacked within a 30 sec how it will overcome?
what is the proper solution of this ?
how to use it properly?

i think there are ways… to do that… im also hunted by this

You can try to use this extension:

1 Like

That is why I secure my account often. I have not been hacked before, nor have my apps been hacked and I never use Firebase.

Without data user can’t get own data
If payment data delete user can’t use project

2 Likes